Jump to content

AutoIt virus?

FredrikIdestam
 Share

Recommended Posts

  • Replies 80
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Bert Universalist

Bert

Posted
Posted

I'm not trying to give work to the developers, but...

In the compiler we use to build scripts, have a piece of code built into the compiler that also compile the cookie that saves the ID of the user who logs onto the forum. That way you get the ID and get a idea who builds shit like this. If the person doesn't have a forum ID, then that won't help. It isn't a foolproof way to do it for a different compiler would get past the trap. It would get most of them though. Just a thought.

The Vollatran project

 

My blog: http://www.vollysinterestingshit.com/

Link to comment
Share on other sites
Mobius Universalist

Mobius

Posted
Posted

Sorry to burst your bubble volly but anyone well versed in these techniques would simply nullify such data from their binaries,

if in fact they were foolish enough to use a compiler with something like this implemented in it anyway.

@OP

Ask ChromeFan, he seems to have knowledge of this strain of virus. :)

wtfpl-badge-1.png

Link to comment
Share on other sites
FredrikIdestam Seeker

FredrikIdestam

Posted
  • Author
Posted

Sorry to burst your bubble volly but anyone well versed in these techniques would simply nullify such data from their binaries,

if in fact they were foolish enough to use a compiler with something like this implemented in it anyway.

@OP

Ask ChromeFan, he seems to have knowledge of this strain of virus. :)

ChromeFan is a web browser. are you saying to download it?
Link to comment
Share on other sites
FredrikIdestam Seeker

FredrikIdestam

Posted
  • Author
Posted

No dude, Chrome is a Web Browser, ChromeFan is a member of this forum who recently requested/Probed for possible ways to defeat the very same

lowtech virus that you are currently having problems with.

Check here dude :: http://www.autoitscript.com/forum/index.php?showtopic=80739

thanks will try it

No, Chrome is a browser. ChromeFan is a user here who got this same virus. From what we can tell he downloaded some piece of software and became infected with this same virus.

You've already been told how to fix this.

you are right i think this virus was come from installing "SmartMovie Converter for Mobiles" and after that i did not download any new thing and my pc was attacked.

but now the thread where from i download does not exists anymore.

can you tell me if this virus can steal passwords? i am hacked or safe?

Link to comment
Share on other sites
Anteaus Adventurer

Anteaus

Posted
Posted

In the compiler we use to build scripts, have a piece of code built into the compiler that also compile the cookie that saves the ID of the user who logs onto the forum.

Ouch. And I thought Phorm was bad enough....

All that would do is to compromise the privacy of honest coders. While it might catch a few of the IQ=-20 jobs mentioned before, the serious malware writer will use a vitual machine, and reset it between jobs so there is nothing personally-identifying in it. In which case this will prove nothing.

OP: If it's a custom program then conventional antivirus won't find it. This is not a reflection on AutoIt, the same would be true if it were written in COBOL. Or, whatever. Antivirus programs work by looking for patterns, and a custom piece of malware will not contain any recognisable patterns.

I would suggest running sysinternals' Autoruns.exe to see what is being launched that shouldn't be. Select 'Hide Microsoft entries' and then press F5 (refresh) to simplify the listing. Note: beware that this is a powerful utility, and you can do damage with it if incautious.

Nirsoft have another useful applet, OpenedFilesView, which can tell you which files are in-use. These between them may give you some idea what the filename (or filenames) are that are being auto-launched, and where they are located.

Link to comment
Share on other sites
Mobius Universalist

Mobius

Posted
Posted (edited)

I recommend Anvir Task manager Free edition, does most of the above and tons more besides, Service management etc,

Or if you really want to go dark on it download DTaskManager by Dimio.

To sort of mirror what Anteaus said, AutoIt3 is powerful, very powerful, And with such power comes responsibility.

There are Many ways to defeat this tool, I would say that 20% of them have already been suggested by other members

anyway.

Edited by Mobius

wtfpl-badge-1.png

Link to comment
Share on other sites
Mobius Universalist

Mobius

Posted
Posted (edited)

If its a similar one to the one we fragged, then all IT does is simply trawl each individual window for strings and titles commonly used by such software,

All we did for this was suspend the process (Taskmanager) prior to execution and change the window title to something else and then unsuspend it.

This is OTT though dude, we were determined.

LOL in the end all we really had to do was open a cmd prompt and use task commands to kill it.

How about some of the other members suggestions, they are more akin to what you need to do.

ED::

If your CD/DVD or USB drives are still operable why not just use a bootable environment such as BartPE or a linux distro.

Since you know the name of the mal exe just delete it. Or NTFS4DOS via a floppy disk should be able to do the same for you.

ANOTHER_ED:: Not to bolster my post count...

Just remembered that while in safe mode we were able to overload this sucka with repeated attempts to load different task like

managers at the same time, but stay away from standard windows task manager because it simply altered the CTRL+ALT+DEL

Registry entry to instigate the whole shabang all over again. Stick to 3rd party managers.

:)

Edited by Mobius

wtfpl-badge-1.png

Link to comment
Share on other sites
Josbe Universalist

Josbe

Posted
Posted (edited)

i have already tried this but the virus closes the window very soon before i do something.

You already read the post previously recommended?

Surely, this kind of virus what know the common actions for avoid any removal. Most AntiVirus software aren't able to detect things like that.

Obviously, here isn't a forum for virus infections, but you could try: HijackThis and post the results...but first read the post recommended.

edit: typos.

Edited by Josbe
• AUTOIT > AutoIt docs / Beta folder - AutoIt latest beta
Link to comment
Share on other sites
FredrikIdestam Seeker

FredrikIdestam

Posted
  • Author
Posted

You already read the post previously recommended?

Surely, this kind of virus what know the common actions for avoid any removal. Most AntiVirus software aren't able to detect things like that.

Obviously, here isn't a forum for virus infections, but you could try: HijackThis and post the results...but first read the post recommended.

edit: typos.

i already have this but i can not install or uninstall any software because of virus closes the window and setup.

Link to comment
Share on other sites
Mobius Universalist

Mobius

Posted
Posted (edited)

Already tried to Remove the virus in SafeMode but virus also runs there and i was not able to show hidden files. SafeMode is also infected and i don't know locations of virus.

So you have booted into safe mode, Probably via your Administrator account, What are you left with?

Does this Mal hide/kill ALL types of windows?

Does your shell even load?

Is this mal obvious? ie when you were in normal booted windows, did it give any sort of indication of existence::

Periodic Distorted sounds - If a window did actually appear, did it seem as if certain controls were flickering rapidly?

Distorted effects when attempting to use the keyboard?

If your shell does still operate, then have you attempted to use SmOke_N's Script discussed in the previous topic?

BTW:: check the General tab, it should display the actual location of this exe

Posted Image

Edited by Mobius

wtfpl-badge-1.png

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...